Deloitte & Equifax: Two Hacks, One Lesson & Your Info’s Dark Web Value.

Posted on Friday, September 29, 2017 and filed under Articles

If there’s one lesson to be learned from Deloitte and Equifax, the victims of two recent major cyber security breaches in the financial service sector announced this month, it’s that reporting incidents to stakeholders as soon as possible mitigates damage down the line.

Equifax, a major US credit reporting company, announced in early September a massive data breach that left the personal information of 143 million customers exposed (nearly 45 per cent of the US population), including social security numbers, personal identifying information, and contact information.

Deloitte, a global accounting firm with customers including many Fortune 500 companies, says that hackers accessed data from one of its email platforms and also certain client records.

Even though both companies publically disclosed hacking incidents this September, both knew about the incidents as early as last March. By the time the breaches were discovered, it’s suspected that information was compromised for months already. What this means is, hackers had a head start to do whatever they wanted with the information they’d stolen.

Despite this, it took both companies about six months to notify the public about a breach. And although Equifax says there were two separate incidents in this time frame, the latter of which was reported promptly since the company believed it had remedied the vulnerability in its network that had been exploited initially (it was the same vulnerability used in the second hack), failing to promptly notify all of its stakeholders the first time prevented people from taking action to protect themselves and/or their clients.

One US man who works in the finance sector, whose identity is not being shared here, says his credentials were stolen in the Equifax breach, including bank account and credit card information. Because he did not know about the breach, he did not set up extra measures to safeguard his information. However, he says he had implemented various passwords and authentication measures on his bank accounts at his financial institution anyways, which prevented the people who stole his identity from stealing all of the money in his accounts. They did try, though.

Had the banks and people like this man known about the breach in advance, they would have had more time to prepare to deal with stolen information and protect themselves and their clients.

This is one thing that Deloitte appears to have done well, according to what it has reported. Deloitte says it notified six of its clients, who were affected, directly about the breach without disclosing who they were to the public. This gives clients time to plan and implement their own incident response strategies. The challenge here, though, is that discovering the details of who is affected by a breach takes time. Within that timeframe cyber criminals can still do what they want with the information they’ve stolen before anyone is notified.

This includes people targeted directly in very sophisticated ways, like spear phishing scams where an attacker sends an email that looks like it comes from a service or person the victim knows and trusts. Early knowledge that information may have been compromised can alert someone to be extra careful about how they interact with the digital communications they receive.

In short, if data in your organization is ever compromised, report early and report widely. This way stakeholders can take measures to protect themselves and the efforts of cyber criminals may be thwarted a little sooner and a little more often.

What do they do with the info? And why?

Criminals can be creative and there’s no way to be certain of everything that is happening with the specific info that was stolen.

But, these hacking attempts appear to be financially motivated. Typically, in this case, information that is stolen is either sold or used to obtain more information so that the value of what is possessed increases, which means it can be sold for more money. Brokers will sell information on the dark web, where buyers pay bitcoin for anonymity reasons.

Here’s how much your information goes for on the dark web:

Payment cards

• Single credit card = $0.5 – $30
• Single credit card with full details = $20 – $60
• Dump of magnetic strip track 1&2 & PIN = $60 – $100

Services

• Media streaming services = $0.10 – $10
• Hotel reward program accounts (100K points) = $10 – $20
• Airline frequent flyer miles account (10K miles) = $5 – $35
• Taxi app accounts with credit = $0.5 – $1
• Online retail gift cards = 20% – 65% of face value
• Restaurant gift cards = 20% – 40% of face value
• Airline ticket and hotel bookings = 10% of face value

Money transfer services

• Cash-out service = 10% – 20%

Accounts

• Online bank accounts = 0.5% – 10% of account balance
• Retailer accounts = $20 – $50
• Cloud service provider accounts = $6 – $10

Identities

• Identity (Name, SSN & DOB) = $0.1 – $1.5
• Scanned passports and other documents (e.g. utility bill) = $1 – $3

* Information values are shared from Symantec’s Internet Security Threat Report.

Author Jim Stackhouse is the founder and president of NeoLore Networks Inc., an Ottawa-based technology services company that designs, implements, manages and maintains computer networks for small and medium sized businesses.